elastic · npanone · Mar 14, 2021 · Mar 14, 2021
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -49,6 +49,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 
 *Filebeat*
 
+- Add Non-Interactive User Sign-Ins and Service Principal Sign-Ins to azure module.
 - Add fileset to ingest PostgreSQL CSV logs. {pull}23334[23334]
 - Fix parsing of Elasticsearch node name by `elasticsearch/slowlog` fileset. {pull}14547[14547]
 - Improve ECS field mappings in panw module.  event.outcome now only contains success/failure per ECS specification. {issue}16025[16025] {pull}17910[17910]

diff --git a/x-pack/filebeat/module/azure/_meta/config.yml b/x-pack/filebeat/module/azure/_meta/config.yml
@@ -32,6 +32,7 @@
  #     connection_string: ""
  #     storage_account: ""
  #     storage_account_key: ""
+
   signinlogs:
     enabled: false
  #   var:
@@ -40,3 +41,23 @@
  #     connection_string: ""
  #     storage_account: ""
  #     storage_account_key: ""
+
+
+  noninteractiveusersigninlogs:
+    enabled: false
+ #   var:
+ #     eventhub: "insights-logs-noninteractiveusersigninlogs"
+ #     consumer_group: "$Default"
+ #     connection_string: ""
+ #     storage_account: ""
+ #     storage_account_key: ""
+
+
+  serviceprincipalsigninlogs:
+    enabled: false
+ #   var:
+ #     eventhub: "insights-logs-serviceprincipalsigninlogs"
+ #     consumer_group: "$Default"
+ #     connection_string: ""
+ #     storage_account: ""
+ #     storage_account_key: ""
diff --git a/x-pack/filebeat/module/azure/_meta/docs.asciidoc b/x-pack/filebeat/module/azure/_meta/docs.asciidoc
@@ -23,7 +23,13 @@ Will retrieve azure activity logs. Control-plane events on Azure Resource Manage
 Will retrieve azure platform logs. Platform logs provide detailed diagnostic and auditing information for Azure resources and the Azure platform they depend on.
 
 `signinlogs` ::
-Will retrieve azure Active Directory sign-in logs. The sign-ins report provides information about the usage of managed applications and user sign-in activities.
+Will retrieve azure Active Directory sign-in logs. The https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-all-sign-ins#interactive-user-sign-ins[sign-ins] report provides information about the usage of managed applications and user sign-in activities.
+
+`noninteractiveusersigninlogs` ::
+Will retrieve Azure Active Directory non-interactive user sign-in logs. The https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-all-sign-ins#non-interactive-user-sign-ins[non-interactive user sign-ins] report provides authentication information from operating systems or applications authenticating on behalf of the user where providing an authentication factor wasn't required.
+
+`serviceprincipalsigninlogs` ::
+Will retrieve Azure Active Directory service principal sign-in logs. The https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-all-sign-ins#service-principal-sign-ins[service principal sign-ins] report provides authentication information from non-user accounts or applications.
 
 `auditlogs` ::
 Will retrieve azure Active Directory audit logs. The audit logs provide traceability through logs for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resources within Azure AD like adding or removing users, apps, groups, roles and policies.

diff --git a/x-pack/filebeat/module/azure/fields.go b/x-pack/filebeat/module/azure/fields.go
diff --git a/x-pack/filebeat/module/azure/noninteractiveusersigninlogs/_meta/fields.yml b/x-pack/filebeat/module/azure/noninteractiveusersigninlogs/_meta/fields.yml
@@ -0,0 +1,166 @@
+- name: signinlogs
+  type: group
+  description: >
+    Fields for Azure sign-in logs.
+  default_field: false
+  fields:
+    - name: operation_name
+      type: keyword
+      description: >
+        The operation name
+    - name: operation_version
+      type: keyword
+      description: >
+        The operation version
+    - name: tenant_id
+      type: keyword
+      description: >
+        Tenant ID
+    - name: result_signature
+      type: keyword
+      description: >
+        Result signature
+    - name: result_description
+      type: keyword
+      description: >
+        Result description
+    - name: result_type
+      type: keyword
+      description: >
+        Result type
+    - name: identity
+      type: keyword
+      description: >
+        Identity
+    - name: category
+      type: keyword
+      description: >
+        Category
+    - name: properties
+      type: group
+      description: >
+        The signin log properties
+      fields:
+        - name: id
+          type: keyword
+          description: >
+            ID
+        - name: created_at
+          type: date
+          description: >
+            Created date time
+        - name: user_display_name
+          type: keyword
+          description: >
+            User display name
+        - name: correlation_id
+          type: keyword
+          description: >
+            Correlation ID
+        - name: user_principal_name
+          type: keyword
+          description: >
+            User principal name
+        - name: user_id
+          type: keyword
+          description: >
+            User ID
+        - name: app_id
+          type: keyword
+          description: >
+            App ID
+        - name: app_display_name
+          type: keyword
+          description: >
+            App display name
+        - name: ip_address
+          type: keyword
+          description: >
+            Ip address
+        - name: client_app_used
+          type: keyword
+          description: >
+            Client app used
+        - name: conditional_access_status
+          type: keyword
+          description: >
+            Conditional access status
+        - name: original_request_id
+          type: keyword
+          description: >
+            Original request ID
+        - name: is_interactive
+          type: keyword
+          description: >
+            Is interactive
+        - name: token_issuer_name
+          type: keyword
+          description: >
+            Token issuer name
+        - name: token_issuer_type
+          type: keyword
+          description: >
+            Token issuer type
+        - name: processing_time_ms
+          type: float
+          description: >
+            Processing time in milliseconds
+        - name: risk_detail
+          type: keyword
+          description: >
+            Risk detail
+        - name: risk_level_aggregated
+          type: keyword
+          description: >
+            Risk level aggregated
+        - name: risk_level_during_signin
+          type: keyword
+          description: >
+            Risk level during signIn
+        - name: risk_state
+          type: keyword
+          description: >
+            Risk state
+        - name: resource_display_name
+          type: keyword
+          description: >
+            Resource display name
+        - name: status
+          type: group
+          description: >
+            Status
+          fields:
+            - name: error_code
+              type: keyword
+              description: >
+                Error code
+        - name: device_detail
+          type: group
+          description: >
+            Status
+          fields:
+            - name: device_id
+              type: keyword
+              description: >
+                Device ID
+            - name: operating_system
+              type: keyword
+              description: >
+                Operating system
+            - name: browser
+              type: keyword
+              description: >
+                Browser
+            - name: display_name
+              type: keyword
+              description: >
+                Display name
+            - name: trust_type
+              type: keyword
+              description: >
+                Trust type
+        - name: service_principal_id
+          type: keyword
+          description: >
+            Status
+
diff --git a/x-pack/filebeat/module/azure/noninteractiveusersigninlogs/config/azure-eventhub.yml b/x-pack/filebeat/module/azure/noninteractiveusersigninlogs/config/azure-eventhub.yml
@@ -0,0 +1,33 @@
+type: azure-eventhub
+{{ if .eventhub }}
+eventhub: {{ .eventhub }}
+storage_account_container: filebeat-noninteractiveusersigninlogs-{{ .eventhub }}
+{{ end }}
+
+{{ if .connection_string }}
+connection_string: {{ .connection_string }}
+{{ end }}
+
+{{ if .consumer_group }}
+consumer_group: {{ .consumer_group }}
+{{ end }}
+
+{{ if .storage_account }}
+storage_account: {{ .storage_account }}
+{{ end }}
+
+{{ if .storage_account_key }}
+storage_account_key: {{ .storage_account_key }}
+{{ end }}
+
+{{ if .resource_manager_endpoint }}
+resource_manager_endpoint: {{ .resource_manager_endpoint }}
+{{ end }}
+
+tags: {{.tags | tojson}}
+publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}
+processors:
+  - add_fields:
+      target: ''
+      fields:
+        ecs.version: 1.8.0
diff --git a/x-pack/filebeat/module/azure/noninteractiveusersigninlogs/config/file.yml b/x-pack/filebeat/module/azure/noninteractiveusersigninlogs/config/file.yml
@@ -0,0 +1,13 @@
+type: log
+paths:
+  {{ range $i, $path := .paths }}
+- {{$path}}
+  {{ end }}
+exclude_files: [".gz$"]
+tags: {{.tags | tojson}}
+publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}
+processors:
+  - add_fields:
+      target: ''
+      fields:
+        ecs.version: 1.8.0